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(54) COMMUNICATION SYSTEM, KEY DISTRIBUTION CONTROL DEVICE, AND RADIO LAN BASE 
STATION DEVICE 



(57) There are provided a communication system, a 
key distribution control device, and Wireless LAN base 
station device capable of more synchronizing the key 
configuration time of the Wireless LAN base station de- 
vice with that of a communication terminal device, there- 
by reducing the communication cut-off period generated 
between the Wireless LAN base station device and the 
communication terminal device. In this communication 
system, an AP control device (1 00) can concatenate (en- 
capsulate) an EAPoL-Key frame as first key information 



used by the communication terminal device (300) and 
second key information used by the Wireless LAN base 
station device (200) so as to generate a single frame (a 
key configuration request frame) and transmit the frame 
to the Wireless LAN base station device (200) . The Wire- 
less LAN base station device (200) separates the re- 
ceived frame into the EAPoL-Key frame as the first key 
information and the second key information used by the 
Wireless LAN base station device (200). The EAPoL-Key 
frame is transmitted to the communication terminal de- 
vice (300) . 
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Description 

Technical Field 

[0001 ] The present invention relates to a communica- 
tion system, key distribution control apparatus, and Wire- 
less LAN base station apparatus, and more particularly 
to a communication system relating to Wireless LAN, and 
a key distribution control apparatus and Wireless LAN 
base station apparatus that are components thereof. 

Background Art 

[0002] In recent years, the diffusion of Wireless LAN 
(IEEE802.11 standard) has progressed, and large-scale 
Wireless LAN network systems have been constructed 
in public networks and corporate networks. Along with 
this, investigation has been undertaken into shifting from 
a method whereby an access point (AP) - for example, 
Wireless LAN base station apparatus - is set and installed 
individually, to a method whereby an Access controller 
that connects a plurality of Wireless LAN base station 
apparatus performs Wireless LAN base station appara- 
tus automatic configuration, fault management, statisti- 
cal information collection, and so forth, en bloc. This in- 
vestigation has been carried out by IETF (Internet Engi- 
neering Task Force) and IEEE802.11 Working Group, 
and progress is being made in drawing up standards. 
[0003] Thus, investigation has been carried out into an 
architecture in which bridge processing between Wire- 
less LAN frame (IEEE802.11 standard) and Ethernet 
(registered trademark) frame is not performed by Wire- 
less LAN base station apparatus, but is performed by a 
AP control apparatus, and an authentication port open- 
ing/closing location is also moved from Wireless LAN 
base station apparatus to the AP control apparatus. In 
such an architecture, LWAPP (lightweight access point 
protocol) has been proposed by the IETF CAPWAP 
Working Group as a protocol for managing APs. With this 
LWAPP, the AP control apparatus performs automatic 
configuration of configuration information, fault manage- 
ment, statistical information collection, encryption key in- 
formation configuration, and so forth, for Wireless LAN 
base station apparatus. 

[0004] In the communication system proposed here 
(see Non-patent Document 1), an AP control apparatus 
reports an encryption key to a communication terminal 
by means of an EAPoL-Key frame when key configura- 
tion is performed. At this time, an Add Mobile Request 
frame is sentto an access point at the same timing. Thus, 
an encryption key necessary for communication between 
a communication terminal and Wireless LAN base station 
apparatus is distributed to the communication terminal 
and Wireless LAN base station apparatus by the AP con- 
trol apparatus. An encryption key sent to a communica- 
tion terminal from the AP control apparatus is delivered 
via the Wireless LAN base station apparatus. 
Non-patent Document 1 : 1 ETF draft draft-ohara-capwap- 



lwapp-00.txt "Light Weight Access Point Protocol" 

Disclosure of Invention 

5 Problems to be Solved by the Invention 

[0005] However, in a conventional communication 
system, an AP control apparatus serving as a key distri- 
bution control apparatus sends different frames to Wire- 

10 less LAN base station apparatus and a communication 
terminal when communication terminal authentication is 
successful. Therefore, in the event of congestion of the 
network system between the AP control apparatus and 
Wireless LAN base station apparatus, there is a great 

15 difference in the timings at which the frames sent by the 
AP control apparatus reach the Wireless LAN base sta- 
tion apparatus and the communication terminal, and as 
a result of this difference, a difference may arise between 
the encryption key configuration times in the communi- 

20 cation terminal and the Wireless LAN base station appa- 
ratus. 

[0006] If there is a difference between the encryption 
key configuration times, a state will arise in which the 
encryption key is set in only one or other of the commu- 
25 nication terminal or the Wireless LAN base station appa- 
ratus, and in this state, communication cannot be carried 
out between the communication terminal and the Wire- 
less LAN base station apparatus. For example, if the en- 
cryption key is first set only in the Wireless LAN base 
30 station apparatus, and encryption key configuration in 
the communication terminal is delayed, until encryption 
key configuration is performed in the communication ter- 
minal a frame sent from the Wireless LAN base station 
apparatus is encrypted, but the communication terminal 
35 receiving thatframe cannot decryptthat encrypted frame. 
[0007] It is an object of the present invention to provide 
a communication system, key distribution control appa- 
ratus, and Wireless LAN base station apparatus that en- 
able the key configuration times of Wireless LAN base 
40 station apparatus and communication terminal to be syn- 
chronizedto a greater degree, andaperiod of interruption 
of communication arising between Wireless LAN base 
station apparatus and communication terminal to be 
shortened. 

45 

Means for Solving the Problems 

[0008] A first feature of the present invention is that a 
communication system has a communication terminal, 
50 Wireless LAN base station apparatus that is accessed 
by the communication terminal, and a key distribution 
control apparatus that distributes encryption key infor- 
mation used in communication between the communica- 
tion terminal and the Wireless LAN base station appara- 
55 tus; the key distribution control apparatus is provided with 
a generation section that links first encryption key infor- 
mation used by the communication terminal and second 
encryption key information used by the Wireless LAN 
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base station apparatus, and generates one key informa- 
tion frame; and the Wireless LAN base station apparatus 
is provided with a separation section that separates the 
key information frame into the first encryption key infor- 
mation and the second encryption key information, and 
a transmitting section that transmits the first encryption 
key information to the communication terminal. 
[0009] A second feature of the present invention is that 
a key distribution control apparatus is provided with: a 
generation section that distributes encryption key infor- 
mation usedincommunication betweenacommunication 
terminal and Wireless LAN base station apparatus ac- 
cessed by the communication terminal, links first encryp- 
tion key information used by the communication terminal 
and second encryption key information used by the Wire- 
less LAN base station apparatus, and generates one key 
information frame; and a transmitting section that trans- 
mits the key information frame to the Wireless LAN base 
station apparatus. 

[0010] A third feature of the present invention is that 
Wireless LAN base station apparatus is provided with: a 
separation section that receives the key information 
frame from the above-described key distribution control 
apparatus, and separates the key information frame into 
the first encryption key information and the second en- 
cryption key information; and a transmitting section that 
transmits the first encryption key information to the com- 
munication terminal. 

Advantageous Effect of the Invention 

[001 1 ] According to the present invention, it ispossible 
to provide a communication system, key distribution con- 
trol apparatus, and Wireless LAN base station apparatus 
that enable the key configuration times of Wireless LAN 
base station apparatus and communication terminal to 
be synchronized to a greater degree, and a period of 
interruption of communication arising between Wireless 
LAN base station apparatus and communication terminal 
to be shortened. 

Brief Description of Drawings 

[0012] 

FIG.1 is a block diagram showing the configuration 
of a communication system according to one em- 
bodiment of the present invention; 
FIG. 2 is a block diagram showing the configuration 
of the AP control apparatus in FIG.1 ; 
FIG. 3 is a drawing showing an example of the con- 
figuration of a key management table; 
FIG. 4 is a drawing for explaining the configuration 
of a key configuration request frame; 
FIG. 5 is a block diagram showing the configuration 
of Wireless LAN base station apparatus in FIG. 1 ; 
and 

FIG. 6 is a sequence diagram showing the flow of 



operations of a communication system according to 
one embodiment. 

Best Mode for Carrying Out the Invention 

5 

[0013] An embodiment of the present invention will 
now be described in detail with reference to the accom- 
panying drawings. 

[001 4] First, the configuration of a communication sys- 
10 tern according to this embodiment will be described with 
reference to FIG.1 . 

[0015] As shown in FIG. 1, a communication system 
10 according to this embodiment includes communica- 
tion terminals 300, Wireless LAN base station apparatus 

15 200 that are accessed by communication terminals 300, 
an AP control apparatus 1 00 serving as a key distribution 
control apparatus that distributes encryption key infor- 
mation used in communication between communication 
terminals 300 and Wireless LAN base station apparatus 

20 200, and a network system 600. AP control apparatus 
100 is connected to an authentication server apparatus 
20 and a core network system 30. 
[0016] In this communication system 10, AP control 
apparatus 1 00 links first key information used by a com- 

25 munication terminal 300 and second key information 
used by Wireless LAN base station apparatus 200 and 
generates one frame, and transmits this frame to Wire- 
less LANbase station apparatus 200. Wireless LANbase 
station apparatus 200 separates the frame sent from AP 

30 control apparatus 1 00 into first key information and sec- 
ond key information. Then Wireless LAN base station 
apparatus 200 transmits the first key information to com- 
munication terminal 300, and uses the second key infor- 
mation in communication with communication terminal 

35 300. 

[0017] As shown in FIG. 2, AP control apparatus 100 
is equipped with an authentication control section 101 , a 
terminal-side transmitting/receiving section 102, a net- 
work-side transmitting/receiving section 103, a key en- 

40 capsulation section 1 04 serving as a generation section 
that links first key information used by a communication 
terminal 300 and second key information used by Wire- 
less LAN base station apparatus 200 and generates one 
frame, and a key management table 105. 

45 [0018] When authentication control section 101 re- 
ceives an authentication request from a communication 
terminal 300viaterminal-sidetransmitting/receiving- 
sectionl 02, authentication control section 1 01 sends this 
authentication request to authentication server appara- 

50 tus 20 via network-side transmitting/receiving section 
103. 

[0019] Also, authentication control section 101 re- 
ceives Access-Accept from authentication server appa- 
ratus 20 via network-side transmitting/receiving section 
55 1 03 as a successful result of authentication correspond- 
ing to an authentication request, and sends this Access- 
Accept to communication terminal 300 via terminal-side 
transmitting/receiving section 102 as EAP-Success. 
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[0020] Furthermore, authentication control section 
1 01 sends an EAPoL-Key frame - which is first key infor- 
mation that should be reported to communication termi- 
nal 300 - to key encapsulation section 104. 
[0021] Key encapsulation section 104performsthefol- 
lowing operations only upon receiving an EAPoL-Key 
frame from authentication control section 1 01 . Specifi- 
cally, key encapsulation section 104 extracts from key 
management table 105 a terminal MAC address corre- 
sponding to the above communication terminal 300 for 
which authentication has been successful, and second 
key information used by Wireless LAN base station ap- 
paratus 200, and creates a key element. In key manage- 
ment table 1 05, terminal MAC addresses corresponding 
to each of the communication terminals 300 are stored 
together with corresponding second key information 
used by Wireless LAN base station apparatus 200. 
[0022] Key encapsulation section 1 04 also creates an 
EAPoL element from a received EAPoL-Key frame. Then 
key encapsulation section 104 creates a key configura- 
tion request frame from the created key element and 
EAPoL element. 

[0023] As shown in FIG. 4, this key configuration re- 
quest frame has a basic configuration made up of an 
Ether header section 410, an AP management protocol 
header section 420, a key element 430, and an EAPoL 
element 440. It is here assumed that AP control appara- 
tus 100 and Wireless LAN base station apparatus 200 
are connected by means of an Ethernet (registered trade- 
mark). 

[0024] In a key configuration request frame, Ether 
header section 410 is outermost, with AP management 
protocol headersection 420 inward of this. In the AP man- 
agement protocol various messages are necessary, 
such as messages for AP configuration, collection of sta- 
tistical information, and so forth, but in the present inven- 
tion, only a key configuration request is stipulated. The 
fact that the frame is a key configuration request frame 
is indicated by AP management protocol header section 
420. 

[0025] Ether headersection 41 0 contains a destination 
MAC address (here, the MAC address of Wireless LAN 
base station apparatus 200), a transmission source MAC 
address (here, the MAC address of AP control apparatus 
1 00), and an Ether type - that is, a type indicating an AP 
control protocol. 

[0026] A key configuration request frame has two ele- 
ments - key element 430 and EAPoL element 440. Key 
element 430 contains a terminal MAC address 41 1 cor- 
responding to communication terminal 300, a key type 
41 2 (a type stipulating either a unicast key or a broadcast 
key), and actual second key information 413 used by 
Wireless LAN base station apparatus 200. 
[0027] Also, EAPoL element 440 contains an EAPoL- 
Key frame - that is, the actual first key information used 
by communication terminal 300. This EAPoL-Key frame 
is adapted to the form of frames exchanged between 
communication terminal 300 and Wireless LAN base sta- 



tion apparatus 200 so that there is no need for frame 
conversion by Wireless LAN base station apparatus 200. 
For example, if communication terminal 300 and Wire- 
less LAN base station apparatus 200 are connected by 

5 means of a wireless LAN, the frame form used by the 
wireless LAN - for example, an EAPoL-Key frame, which 
is the frame form (signal form) used in the data link layer 
- is stored in the key configuration request frame. 
[0028] Thus, key encapsulation section 104 links (en- 

10 capsulates) an EAPoL-Key frame as first key information 
used by communication terminal 300, and second key 
information used by Wireless LAN base station appara- 
tus 200, and generates one frame (a key configuration 
request frame). 

15 [0029] Then key encapsulation section 1 04 sends the 
generated key configuration request frame to Wireless 
LAN base station apparatus 200 via terminal-side trans- 
mitting/receiving section 102. 

[0030] As shown in FIG.5, Wireless LAN base station 
20 apparatus 200 is equipped with a frame distribution sec- 
tion 201, a network-side transmitting/receiving section 
203, a key decapsulation section 204 serving as a sep- 
aration section that separates a key configuration request 
frame from AP control apparatus 1 00 into first key infor- 
ms mation and second key information, a terminal-side 
transmitting/receiving section 202 that transmits sepa- 
rated first key information to communication terminal 300, 
and a key management table 205. 
[0031] When frame distribution section 201 receives 
30 an authentication request from a communication terminal 
300 via terminal-side transmitting/receiving section 202, 
frame distribution section 201 sends this authentication 
request to AP control apparatus 100 via network-side 
transmitting/receiving section 203. 
35 [0032] Also, when frame distribution section 201 re- 
ceives EAP-Success from AP control apparatus 100 via 
network-side transmitting/receiving section 203 as a suc- 
cessful result of authentication corresponding to an au- 
thentication request, frame distribution section 201 
40 sends this to communication terminal 300 via terminal- 
side transmitting/receiving section 202. 
[0033] Furthermore, when frame distribution section 
201 receives a key configuration request frame fromAP 
control apparatus 100 via network-side transmitting/re- 
45 ceiving section 203, frame distribution section 201 sends 
this to key decapsulation section 204. 
[0034] When key decapsulation section 204 receives 
a key configuration request frame from frame distribution 
section 201, key decapsulation section 204 separates 
50 this key configuration request frame into a key element 
and an EAPoL element. Then key decapsulation section 
204 extracts the terminal MAC address and key informa- 
tion from the key element, and extracts the EAPoL-Key 
frame from the EAPoL element. 
55 [0035] Key decapsulation section 204 then sets the 
terminal MAC address and key information in key man- 
agement table 205, and sends the EAPoL-Key frame to 
communication terminal 300 via terminal-side transmit- 
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ting/receiving section 202. Key management table 205 
has the same kind of configuration as key management 
table 105 shown in FIG. 3. 

[0036] Thus, key decapsulation section 204 separates 
an EAPoL-Key frame serving as first key information 
used by communication terminal 300, and second key 
information used by Wireless LAN base station appara- 
tus 200, encapsulated by AP control apparatus 1 00, and 
sends the EAPoL-Key frame serving as first key informa- 
tion via terminal-side transmitting/receiving section 202. 
[0037] Then, since the EAPoL-Key frame has previ- 
ously been adapted to the form of frames exchanged 
between communication terminal 300 and Wireless LAN 
base station apparatus 200 when encapsulated by AP 
control apparatus 1 00, Wireless LAN base station appa- 
ratus 200 can send the EAPoL-Key frame serving as first 
key information to communication terminal 300 without 
performing particularly burdensome processing other 
than separating the key configuration request frame in 
key decapsulation section 204. 

[0038] Next, the operation flow of communication sys- 
tem 10 will be described with reference to FIG. 6. 
[0039] In step ST501, communication terminal 300 
performs authentication with respect to authentication 
server apparatus 20 using an IEEE802. 1x/EAP protocol. 
There are various kinds of EAP - such as EAP-TLS, EAP- 
TTLS, and EAP-PEAP - according to the type of authen- 
tication, but the present invention is not dependent on 
the type of authentication. Then, when communication 
terminal 300 authentication terminates normally, a key 
source called a master key is generated by communica- 
tion terminal 300 and authentication server apparatus 20. 
[0040] In step ST502, Access-Accept is transmitted to 
AP control apparatus 1 00 from authentication server ap- 
paratus 20 as a successful authentication result. 
[0041] In step ST503, AP control apparatus 100 re- 
ports Access-Accept to communication terminal 300 as 
EAP-Success. 

[0042] Next, in step ST504, a key configuration request 
frame generated by AP control apparatus 1 00 is trans- 
mitted to Wireless LAN base station apparatus 200. 
[0043] In step ST505, the key configuration request 
frame is separated by Wireless LAN base station appa- 
ratus 200, and the extracted EAPoL-Key frame is sent 
to communication terminal 300. If necessary, Wireless 
LAN base station apparatus 200 may also transmit a key 
configuration request frame confirmation response to AP 
control apparatus 100. 

[0044] In the description of this embodiment, it is as- 
sumed that AP control apparatus 1 00 and Wireless LAN 
base station apparatus 200 are connected by means of 
an Ethernet (registered trademark), and frame exchange 
is performed in the data link layer, but the present inven- 
tion is not limited to this, and communication may also 
be performed in the UDP/IP network layer. In this case, 
aUDP/IP headeris encapsulated instead of Ether header 
section 410 of the key configuration requestframe shown 
in FIG.4. 



[0045] Thus, in a communication system according to 
this embodiment, in AP control apparatus 100, it is pos- 
sible to link (encapsulate) an EAPoL-Key frame as first 
key information used by a communication terminal 300 

5 and second key information used by Wireless LAN base 
station apparatus 200, and generate one frame (key con- 
figuration request frame), and to send this frame to Wire- 
less LAN base station apparatus 200. In Wireless LAN 
base station apparatus 200, the received frame is sepa- 

10 rated into an EAPoL-Key frame serving as first key infor- 
mation, and second key information used by Wireless 
LAN base station apparatus 200, and this EAPoL-Key 
frame is transmitted to communication terminal 300. 
[0046] Therefore, there is no time difference in the de- 

15 livery of an EAPoL-Key frame and second key informa- 
tion to Wireless LAN base station apparatus 200, and 
communication terminal 300 and Wireless LAN base sta- 
tion apparatus 200 can perform communication without 
the intermediation of a network, so that very little time is 

20 taken for an EAPoL-Key frame to be transmitted from 
Wireless LAN base station apparatus 200 to communi- 
cation terminal 300, enabling the key configuration times 
of Wireless LAN base station apparatus 200 and com- 
munication terminal 300 to be virtually synchronized, and 

25 thereby making it possible to shorten a period of inter- 
ruption of communication due to non-synchronization of 
key configuration times arising between Wireless LAN 
base station apparatus 200 and communication terminal 
300. 

30 [0047] Furthermore, in a communication system ac- 
cording to this embodiment, inAP control apparatus 1 00, 
the signal form of an EAPoL-Key frame serving as first 
key information is adapted to the frame form (signal form) 
used between Wireless LAN base station apparatus 200 

35 and communication terminal 300, and an EAPoL-Key 
frame and second key information used by Wireless LAN 
base station apparatus 200 are linked (encapsulated), 
and one frame (key configuration request frame) is gen- 
erated. In Wireless LAN base station apparatus 200, the 

40 received frame is separated into an EAPoL-Key frame 
serving as first key information, and second key informa- 
tion used by Wireless LAN base station apparatus 200, 
and this EAPoL-Key frame is transmitted to communica- 
tion terminal 300. 

45 [0048] Therefore, since the EAPoL-Key frame has pre- 
viously been adapted to the form of frames exchanged 
between communication terminal 300 and Wireless LAN 
base station apparatus 200 when encapsulated by AP 
control apparatus 1 00, Wireless LAN base station appa- 

50 ratus 200 can send the EAPoL-Key frame serving as first 
key information to communication terminal 300 without 
performing particularly burdensome processing other 
than separating the key configuration request frame. As 
a result, the processing time required by Wireless LAN 

55 base station apparatus 200 can be shortened, enabling 
the key configuration times of Wireless LAN base station 
apparatus 200 and communication terminal 300 to be 
virtually synchronized, and thereby making it possible to 
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shorten a period of interruption of communication due to 
non-synchronization of key configuration times arising 
between Wireless LAN base station apparatus 200 and 
communication terminal 300. 

[0049] The present application is based on Japanese 
Patent Application No.2004-201 944 filed on July 8, 2004, 
entire content of which is expressly incorporated herein 
by reference. 

Industrial Applicability 

[0050] Acommunicationsystem, key distribution con- 
trol apparatus, and Wireless LAN base station apparatus 
of the present invention have the effects of synchronizing 
the key configuration times of Wireless LAN base station 
apparatus and communication terminal to a greater de- 
gree, and shortening a period of interruption of commu- 
nication arising between Wireless LAN base station ap- 
paratus and communication terminal, and can be used 
effectively in Wireless LAN communication system, and 
an access point control apparatus and access points that 
are components thereof. 



the generation section of the key distribution 
control apparatus generates the key information 
frame, taking the first encryption key information 
as a signal form used in a data link layer between 

5 the Wireless LAN base station apparatus and 

the communication terminal; and 
the transmitting section of the Wireless LAN 
base station apparatus transmits the first en- 
cryption key information from the separation 

10 section directly in accordance with the signal 

form. 

3. A key distribution control apparatus that distributes 
encryption key information used in communication 
15 between a communication terminal 1 and Wireless 
LAN base station apparatus that is accessed by the 
communication terminal, comprising: 

a generation section that links first encryption 
key information used by the communication ter- 
minal and second encryption key information 
used by the Wireless LAN base station appara- 
tus, and generates one key information frame; 
and 

a transmitting section that transmits the key in- 
formation frame to the Wireless LAN base sta- 
tion apparatus. 



20 



Claims 25 

1 . A communication system comprising: 



a communication terminal; 

Wireless LAN base station apparatus that is ac- 30 
cessed by the communication terminal; and 
a key distribution control apparatus that distrib- 
utes encryption key information used in commu- 
nication between the communication terminal 
and the Wireless LAN base station apparatus, 35 
wherein: 

the key distribution control apparatus has a 
generation section that links first encryption 
key information used by the communication 40 
terminal and second encryption key infor- 
mation used by the Wireless LAN base sta- 
tion apparatus, and generates one key in- 
formation frame; and 

the Wireless LAN base station apparatus 45 
has: 

a separation section that separates the 
key information frame into the first en- 
cryption key information and the sec- 50 
ond encryption key information; and 
a transmitting section that transmits the 
first encryption key information to the 
communication terminal. 

55 

2. The communication system according to claim 1, 
wherein: 



4. The key distribution control apparatus according to 
claim 3, wherein the generation section generates 
the key information frame, taking the first encryption 
key information as a signal form used in a data link 
layer between the Wireless LAN base station appa- 
ratus and the communication terminal. 

5. Wireless LAN base station apparatus that receives 
a key information frame from a key distribution con- 
trol apparatus that has: 

a generation section that distributes encryption 
key information used in communication between 
a communication terminal and Wireless LAN 
base station apparatus that is accessed by the 
communication terminal, and that links first en- 
cryption key information used by the communi- 
cation terminal and second encryption key infor- 
mation used by the Wireless LAN base station 
apparatus, and generates one key information 
frame; and 

a transmitting section that transmits the key in- 
formation frame to the Wireless LAN base sta- 
tion apparatus; 

wherein the Wireless LAN base station appara- 
tus comprises: 

a separation section that separates the key 
information frame into the first encryption 
key information and the second encryption 
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key information; and 

a transmitting section that transmits the first 
encryption key information to the communi- 
cation terminal. 

5 

6. The Wireless LAN base station apparatus according 
to claim 5, wherein the transmitting section transmits 
the first encryption key information from the separa- 
tion section directly in accordance with the signal 
form. 10 



Amended claims under Art. 19.1 PCT 

1 . (Amended) A communication system comprising: 15 

a communication terminal; 
a wireless LAN base station apparatus that is 
accessed by the communication terminal; and 
a key distribution control apparatus that distrib- 20 
utes encryption key information used in commu- 
nication between the communication terminal 
and the wireless LAN base station apparatus, 
wherein: 

25 

the key distribution control apparatus has a 
generation section that links first encryption 
key information used by the communication 
terminal and second encryption key infor- 
mation used by the wireless LAN base sta- 30 
tion apparatus, and generates one key in- 
formation frame; 

the wireless LAN base station apparatus 
has: 

35 

a separation section that separates the 
key information frame into the first en- 
cryption key information and the sec- 
ond encryption key information; and 
a transmitting section that transmits the 40 
first encryption key information to the 
communication terminal; 
the generation section includes the first 
encryption key information in the form 
of a wireless LAN frame in the key in- 45 
formation frame; and 
the transmitting section transmits the 
first encryption key information directly 
in that form. 

50 

2. (Deleted) 

3. (Amended) A key distribution control apparatus 
that distributes encryption key information used in 
communication between a communication terminal 55 
and a wireless LAN base station apparatus that is 
accessed by the communication terminal, compris- 
ing: 



a generation section that links first encryption 
key information used by the communication ter- 
minal and second encryption key information 
used by the wireless LAN base station appara- 
tus, and generates one key information frame; 
and 

a transmitting section that transmits the key in- 
formation frame to the wireless LAN base station 
apparatus; 

wherein the generation section includes the first 
encryption key information in the form of a wire- 
less LAN frame in the key information frame. 

4. (Deleted) 

5. (Amended) Awireless LAN base station apparatus 
that receives a key information frame from a key dis- 
tribution control apparatus that has: 

a generation section that distributes encryption 
key information used in communication between 
a communication terminal and a wireless LAN 
base station apparatus that is accessed by the 
communication terminal, and that links first en- 
cryption key information used by the communi- 
cation terminal and second encryption key infor- 
mation used by the wireless LAN base station 
apparatus, and generates one key information 
frame; and 

a transmitting section that transmits the key in- 
formation frame to the wireless LAN base station 
apparatus, wherein: 

the first encryption key information is includ- 
ed in the key information frame in the form 
of a wireless LAN frame; 
the wireless LAN base station apparatus 
comprises: 

a separation section that separates the 
key information frame into the first en- 
cryption key information and the sec- 
ond encryption key information; and 
a transmitting section thattransmits the 
first encryption key information to the 
communication terminal, and 
the transmitting section transmits the 
first encryption key information directly 
in that form. 

6. (Deleted) 
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